{"id":2403,"date":"2018-08-16T00:00:00","date_gmt":"2018-08-16T00:00:00","guid":{"rendered":""},"modified":"2023-05-11T15:38:07","modified_gmt":"2023-05-11T22:38:07","slug":"installing-certificates-into-iot-devices","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/installing-certificates-into-iot-devices\/","title":{"rendered":"Installing certificates into IoT devices"},"content":{"rendered":"
Update:<\/strong> For the most relevant information regarding Azure IoT devices, please visit documentation for Security practices for Azure IoT device manufacturers<\/a>.\u200b<\/div>\n

Lots of folks are moving to X.509 certificate-based authentication<\/a> as they start to use the Azure IoT Hub Device Provisioning Service<\/a>, which is great! But I've gotten lots of questions about what the best practices are, and how to go about doing it at scale. There are a lot of variables that influence where certs come from and how they are installed, and who owns each stage depends on the specific processes and business relationships in place. This blog post is meant to provide some clarity around the cert generation and installation process for IoT devices at production-level scales.<\/p>\n

One note before I begin, if you already have a system in place for installing certificates on your IoT devices and its working out for you, great! Feel free to stop reading and check out some of our other content<\/a>. This blog post is for folks who are just making the switch to using certificates on IoT devices and are struggling with figuring out what works best.<\/p>\n

Mandatory security rant<\/h2>\n

If you're coming from the land of passwords and want a quick fix, you might be asking yourself why you can't use the same certificate in all your devices like you would be able to use the same password in all your devices. First, using the same password everywhere is really bad practice and has already caused several major DDoS attacks, including the one that took down DNS on the US East Coast a few years back. So don't ever do this, even with your own personal accounts. Second, certificates are not passwords they are complete identities. A password is like knowing the secret phrase to get into the clubhouse, a certificate is the bouncer asking to see your driver's license. It\u2019s like if I got multiple copies made of my passport and gave you one to use for identification. Either you give my name and my passport and impersonate me (AKA spoof my identity), or you give your name and my passport and the border control agent kicks you out for not having an ID matching your name.<\/p>\n

Variables involved in certificate decisions<\/h2>\n

There are several variables that come into play when you decide to use certificates in your IoT devices. The heavy hitters are as follows.<\/p>\n

Where the certificate root of trust comes from<\/strong>. Make this decision based on your own cost tolerances and masochism levels \u2013 managing a public key infrastructure (PKI), especially if your company does not have experience doing so, is not for the faint of heart. Your options are:<\/p>\n